Einige Fragen zu GNU Social

Für einen Blogpost von Alex habe ich von ihm einige Fragen zu GNU Social bekommen, die ich natürlich gerne beantwortet habe. Er möchte dazu eine Übersicht über verschiedene Nodes ausarbeiten. Meine Antworten stelle ich hier schon mal vorab zum Lesen bereit. Das ganze ist plain text aus der Antwortmail kopiert, daher ohne irgendwelche schönen Formatierungen. Falls ihr auch Fragen habt, beantworte ich die gerne auch unten in den Kommentaren.

(Alles auf Englisch, da der Blogpost wohl auch englischsprachige Admins einschließen wird.)

> Gnusocial configuration
> =======================
> – How many characters per queet are possible on your instance?
1024 chars.

> – Which plugins are installed on your instance?
Activity, Autocomplete, ClientSideShorten, ChooseTheme, EmailReminder, ExtendedProfile, FeedPoller, GroupPrivateMessage, LRDD, ModPlus, OStatus, OpenExternalLinkTarget, Qvitter, StaleAccounts, Statistics, StoreRemoteMedia, TabFocus, TwitterBridge (posting only, no import due to ressource overusage), WebFinger

> – Do you keep up with the most recent version or are you testing new
> versions for a while before using them?
I’m quite close to current nightly status. All code comes from Git so if anything goes wrong I’m moving back some commits.

> Users, Stability & Money
> ========================
> Users would like a service, which lasts forever and runs fast and
> reliable. Can you tell something about how your service tries to achieve
> this?
I recently got a similar question and told the people asking that I have no intention to close the node. But I can’t (and don’t want to) promise things I can’t do with a good conscience. There’s no guarantee – not for gnusocial.de as well as for any service around. The only thing I can promise is that in case of closing gnusocial.de I will do my very best to get a successing admin and/or to help people migrate to another node.

To make financial issues more transparent I have a page on the wiki:

> – How many users does your service have?
Registered accounts currently: 917
Actively posting users (can only be estimated): ~20-30

> – For how long does it exist?
The domain was registered in February 2014, the complete instance launched on July 22nd, 2014.

> – How do you pay for the service? Do you get enough donations, do you
> have sponsors or do you pay for it yourself?
I mostly pay the monthly fees and annualy domain fees myself. From time to time someone donates a few bucks.

> – What do you need to pay for hardware / hosting?
Monthly fees 18,99€ plus .de Domain plus SSL cert (both annually paid).

> – Are there costs for moderating / maintaining the site?
There are no costs in money but of course maintaining „costs“ spare time.

> – How do you want to ensure, the service will last (That it can be payed
> for and there are enough people, who keep it running)?

> – How can your users support you? Do you accept donations? Are there
> other ways to say thank you, like a amazon wishlist or flattr?
Yes, after some people asking I added donation information at the wiki.
But there’s no Amazon wishlist or special Flattr thing. The local community is not too big and I keep in touch with most users. So if someone wants do give me a present, he or she just can drop me a line.

> Abuse Handling
> ==============
> The larger the site, the more abusive users will come. How do you handle
> the moderation on your site?
> – How can users report abusive Queets / private Messages?
Just @-mention me.

> – How fast can the moderation handle such requests?
As soon as I see the @-mention I will look into the issue.
Furthermore they can simply send me an email: https://gnusocial.de/doc/contact

> – Are you actively moderating the site or just handling reports?
Until now I never had a really severe problem so active moderation wasn’t necessary. During the rush within the past 2-3 weeks there registered some companies. I wrote to them in advance pointing to the terms of service, not because they did anything wrong but to avoid disappointment.

> – Do you have specific policies how to react on which type of incident?
No. As long as there’s no need I try to talk to people and explain problems.
Nevertheless there’s the terms of service page and a quick round up during the registration process. A copy of this text is available on the wiki:

> – Is there a page with the rules for your instance or do you rely on
> common sense and notify users, when they are going too far?
Both. See previous question.

> – Can you tell something about the possible consequences for breaking
> the rules?
It’s quite simple: Three steps. First, the user gets advice. Second, he get’s a serious warning. Third, I will delete (yes, *delete*) the account.

> – Do you notify authorities for serious incidents or do you just ban the
> users and let the victim report it to the police themself?
Luckily I never got into such a situation so I can only guess, that it would depend. For sure I would support the victim but at first I would talk to a lawyer what to do.

> Moderation
> ==========
> Moderation to prevent abuse is important, but too much moderation can
> hurt a site. Moderating legal but possibly offensive posts may create
> chilling effects, where people censor themself to avoid being moderated
> or even banned for unpopular opinions.
> – When do you delete possibly offensive tweets?
Never. But I’m under German jurisdiction so I have to I try to talk to the people that something (e.g. porn) ain’t welcome on this node. There are other nodes specialised on such topics. So users don’t have to leave

> – When do you warn users?
If they:
– post commercial advertisments.
– post content forbidden by German law

> – When do you temporarily ban users?

> – When do you permanently ban users?

> – Do your moderators discuss decisions among themselfes or are they
> acting on their own?
I’m the only moderator but for things I’m unsure I try to contact admins of other nodes and long-term users of my node to get a well-based decision.

> – Do you discuss the moderation with the users?
See previous question.

> – How do you avoid, that moderators are biased to their own opinion in
> the discussion, which they are moderating?
If things are getting too hot I guess I would change communication from public to private emails, chats or whatever.

> – Do you think your users need to think about being moderated before
> writing a queet?
No, absolutely not. As said before I will *always* contact users if they post things which are a problem. I strongly believe in solving problems by talking at first.

> – Do you have any rules, which require the users to think beyond common
> sense before posting, like avoiding tv spoilers?
No. If users post things others don’t want to read they will be told so by the people affected.

> – Where does inacceptable behaviour start on your instance? (bad
> opinions expressed in a serious manner / flame wars / trolling / insults
> / haressment / serious threats)
The inacceptable behaviour for me is when someone tells you about your misbehaviour and still you don’t stop. On gnusocial.de you can say anything sticking to the terms of service, as long as nobody has a problem with that.

> – What are your moderators doing with reports for queets in heated
> discussions, which are strictly speaking not breaking a rule, but
> offending other users in the discussion?
I don’t have any moderators, so: see previous question.

> – How are you moderating queets from other gnusocial instances?
I am not yet. Currently I’m waiting for this feature to be implemented in GNU Social so I can filter out adult-only content from other instances to appear on public timelines. To avoid misunderstandings: users following accounts from these instances will still get the contents. I’m not a nanny judging on anyone for being naughty.

> Backup & Privacy
> ================
> Some instances have plugins for backup, others don’t have this option.
> What options do you provide for your users? How do you handle the
> privacy of your users?
In terms of microblogging I think there is no privacy at all. It counteracts the idea of posting things public online. Microblogging ain’t made for private communications. Nevertheless, posting anon- and pseudonymously on gnusocial.de is of course possible:
– users can register whatever username they like
– there is no clear name policy and there will never be
– webserver logfiles are anonymized: all users‘ IP adress is
– a working email address is *needed* only for signup and password resets
– access via TOR is welcome, no Cloudflare or similar captcha crap

> – Can your users export their data (queets, private messages)?
Yes, sort of. The data migration feature is broken in GNU Social generally, not only on my node. So exporting the data will need an admin’s hand. I’m absolutely willing to do my very best to let users get their data.

> – Is there a way to import this data or data from other gnusocial instances?
See question above and: I never had this case yet so I can’t tell how good it works.

> – Do you have backups for your server, i.e. in case of hardware failure?
Of course. The server is a VPS so hardware failure is not on my watch but on the provider’s. Nevertheless I keep backups of both the database and the uploaded files for a short time to avoid problems e.g. due to update on GNU Social’s software.

> – Can your users delete their account?
Of course. Every user profile has a delete button. But beware: this button unlike e.g. Facebook *really* deletes the account and any related date. So better be sure what you’re doing! 🙂

> – How long does it take for the data to be deleted completely (i.e.
> disappear from any backups)?
Depending on the amount of data 1-10 minutes.

> – Do you retain any data after deletion, i.e. to as proof for abusive
> behaviour, to enable recovery of the deleted account or to prevent
> others from reregistering the account name?
Both: No. And to be honest I’m not willing to pull back accidentily deleted accounts from a recent backup.

> – Do you ever read private messages? Under which circumstances would you
> do so and would you inform the users afterwards?
No. I wouldn’t under any circumstances. Even if I was forced to hand over the server’s data I would not read private messages.

> Security
> ========
> – How are you protecting the data (i.e. is the server hard disk encrypted)?
No. The server is secured by a strong SSH password, no root login in via SSH and fail2ban. Security updates are installed very quickly (normally within 1-2 hours from being available)

> – Does your site use HTTPS?
Yes. HTTP requests are forwarded to HTTPS.

> – Did you configure more security options like a HSTS header?
Yes. HSTS and HTKP is enabled.

> Legal Issues
> ============
> It is pretty common that people post copyrighted images on social media,
> which can get them into trouble*. A smaller site may have problems to
> get accused of the vialogation itself instead of the user.
> How do you handle copyrighted content and law enforcement requests?

Posting copyrighted content is prohibited by the terms of service. But I’m not monitoring what people post so I can’t act proactively on such things. Though if it comes to my knowledge I have to act and would try to contact the user to take content down.

> – Do you inform your users about rules for posting copyrighted images /
> texts?
Yes, it’s in the terms of service.

> – Do you try to actively moderate copyright violations or do you take
> down content only on request?
Only on request.

> – What would you do, when you receive a DMCA notice or a similiar
> request in your country?
I would try to contact the user to inform him and ask to delete the content. If he doesn’t do or ain’t responding I would comply to the DMCA notice.

> – What do you do about images violating personality rights of people in
> the image?
If I get a request: see question above. Otherwise I’m not monitoring what people post so I can’t act on such things.

> – How would you handle requests for the EU „right to be forgotten“ law?
To be honest: I think this law is ridiculous and useless. I never thought about what to do when I recieve such a request. I guess I would contact a lawyer before doing anything.

> – Did you think about getting a national security letter?
Yes, but as I’m not under U.S. juristdiction I hardly care. Nevertheless getting a warant canary is on my to do list.

> Technical Information
> =====================
> Can you tell something about how you run the website?
> – What hardware are you using?
The server is VPS at Netcup Hosting (https://www.netcup.de) with 12 GB RAM and 4 vCPUs

> – What software (i.e. operation system, etc.) are you using?
Debian stable.

> – Does the server just run gnusocial or are you using it for other
> things as well?
The server hosts GNU social, a small wiki (Dokuwiki) and some scripts for automated posts to GNU Social.

> – Is your server very busy with the instance?
No. 8 out of 12 GB RAM are used, the 4 vCPUs are at about 10% load.

> Final thoughts
> ==============
> – Why should users choose your instance?
I don’t care.
If users choose my instance I’m happy. If they choose another one I’m happy as well. The good thing with GNU Social is that no matter where users are everyone can communicate with everyone.
Aside that it would be good if users choose smaller instances in favor to the big ones (e.g. quitter.se) to spread the ressource load over all nodes and to avoid single points of failure.

> – Do you want to tell anything else?
If any information is missing within all these questions I’m very happy to give answers, either via GNU Social or directly via email.

> *
> https://www.washingtonpost.com/news/the-intersect/wp/2015/09/08/how-copyrigh
> t-is-killing-your-favorite-memes/